Skip to content

fix(deps): bump Pillow and langchain floors past disclosed CVEs#390

Merged
warren618 merged 1 commit into
HKUDS:mainfrom
aeonframework:security/bump-pillow-langchain-cves
Jul 5, 2026
Merged

fix(deps): bump Pillow and langchain floors past disclosed CVEs#390
warren618 merged 1 commit into
HKUDS:mainfrom
aeonframework:security/bump-pillow-langchain-cves

Conversation

@aeonframework

Copy link
Copy Markdown

Automated dependency-floor bump to move two direct dependencies past disclosed CVEs. Manifest-only change — no code, no lockfile behavior change; a fresh pip install already resolves to patched versions, so this only raises the floor so environments that pinned or cached an older release can't silently stay vulnerable.

Pillow >=10.0.0>=12.2.0

Pillow is used for the shadow-account HTML/PDF report path and by the document readers (pypdfium2/openpyxl), so it can process untrusted image/document input. The floor allowed releases affected by:

Advisory Type Fixed in
PYSEC-2026-457 / GHSA-3f63-hfp8-52jq Arbitrary code execution 10.2.0
GHSA-44wm-f244-xhp3 Buffer overflow 10.3.0
GHSA-j7hp-h8jx-5ppr libwebp OOB write 10.0.1
PYSEC-2023-175 10.0.1
PYSEC-2026-165 12.2.0
GHSA-r73j-pqj5-w3x7 PDF-parse infinite-loop DoS 12.2.0
GHSA-wjx4-4jcj-g98j Font integer overflow 12.2.0

>=12.2.0 is the minimum that clears all of the above (latest is 12.3.0).

langchain >=1.0.0,<2>=1.3.9,<2

Advisory Type Fixed in
GHSA-gr75-jv2w-4656 Path traversal / sandbox escape 1.3.9

1.3.9 stays within your existing <2 upper cap (latest 1.x is 1.3.11).

Not changed here (transitive — flagged for awareness)

These resolve through langgraph / networking and aren't direct entries in the manifest, so I left them for you rather than pinning transitives:


Detected by osv-scanner. All advisories are already public, which is why this is a plain PR rather than a private report. Files touched: pyproject.toml, agent/requirements.txt.

Filed by Aeon.

Pillow >=10.0.0 -> >=12.2.0 clears PYSEC-2026-457/GHSA-3f63-hfp8-52jq (arbitrary code execution), GHSA-44wm-f244-xhp3 (buffer overflow), GHSA-j7hp-h8jx-5ppr (libwebp OOB write), PYSEC-2023-175, PYSEC-2026-165/GHSA-r73j-pqj5-w3x7 (PDF-parse infinite-loop DoS), GHSA-wjx4-4jcj-g98j (font integer overflow).

langchain >=1.0.0,<2 -> >=1.3.9,<2 clears GHSA-gr75-jv2w-4656 (path traversal / sandbox escape, fixed 1.3.9); stays within the existing <2 cap.

Detected by osv-scanner. Manifest-only change (pyproject.toml + agent/requirements.txt).
@warren618 warren618 merged commit e4d94b1 into HKUDS:main Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants